omniauth google-oauth2 with devise - invalid_credentials and "Csrf detected"

Doug picture Doug · Mar 21, 2013 · Viewed 9.4k times · Source

Dear Fine People of SO:

I am developing a Ruby app on Rails 3.2.12 (and I am still new to it).

I am trying to get Devise working with Omniauth... the first strategy I am trying is Google_oauth2.

I have it working to the point where Google has redirected back into my localhost:3000 instance after selecting the credentials I want to use in Google.

Upon this redirection back into localhost, I see a flash notice:

Could not authenticate you from GoogleOauth2 because "Csrf detected".

The server logs contain this:

Started GET "/users/auth/google_oauth2" for 127.0.0.1 at 2013-03-21 08:57:01 -0400
(google_oauth2) Callback phase initiated.
(google_oauth2) Callback phase initiated.
(google_oauth2) Authentication failure! invalid_credentials: OmniAuth::Strategie
s::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError


Started GET "/users/auth/google_oauth2/callback?state=7849a3762d07e7f89e69b4aa46
7efc7b7b2c21655193396b&code=4/v-dSBwAvQUUZL87iNV_yk_Z8s_x0.cnqsdbDX4gUYaDn_6y0ZQ
NgQ9hAaewI" for 127.0.0.1 at 2013-03-21 08:57:40 -0400
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"7849a3762d07e7f89e69b4aa467efc7b7b2c21655193396b", "cod
e"=>"4/v-dSBwAvQUUZL87iNV_yk_Z8s_x0.cnqsdbDX4gUYaDn_6y0ZQNgQ9hAaewI"}
Redirected to http://localhost:3000/users/sign_in
Completed 302 Found in 0ms (ActiveRecord: 0.0ms)

I noticed that I get exactly the same result if I simply put the callback URL into the browser directly, without any parameters supplied.

http://localhost:3000/users/auth/google_oauth2/callback

What can I try? What other info can I provide?

Answer

Doug picture Doug · Mar 21, 2013

Answering my own post.... I'm past this. I'm not entirely sure why, but I have some clues that might be worth passing on.

There are a bunch of other similar issues reported related to the omniauth-facebook strategy. They did not seem to apply to google, so I didn't look too deep. Then I tried to configure the FB strategy, and got the same problem. The FB solution was to revert the omniauth-facebook gem back to 1.4.0.

gem 'omniauth-facebook', '1.4.0'

This also automatically reverted the omniauth-oauth2 gem (I've not wrapped my head around the gem thing yet). When I tried the google link again, it did not throw the same Csrf detected message... Hmmm... reverting the FB gem fixed google ---- Need a disclaimer here, other things might have been the problem here, but I think I have it correct.

There is another problem worth mentioning. The log i provided above showed 2 repeated log messages....

(google_oauth2) Callback phase initiated.
(google_oauth2) Callback phase initiated.

This reveals another (maybe related) problem. It means that the callback was executed twice. Once I got past the CSRF issue, i started getting the invalid_credentials problem all by itself. The reason for the error is the duplicate callback call. Apparently, Oauth2 only allows a single use of the credential. The second use is invalid.

I used railscast #235 as my guide: http://railscasts.com/episodes/235-devise-and-omniauth-revised?autoplay=true

It had me add "provider" calls in the omniauth.rb initializer. and config.omniauth calls in the devise.rb initializer. I guess these somehow result in duplicate callbacks?!?!?

Removing the entry from omniauth.rb got me past that one.

So there you have it. My second SO question, and my second question where I'm the only responder. Not sure if its because they were dumb or hard... I hope the latter.